lupine/hide-eid
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

First pass at fragmenting

Browse Source
This commit is contained in:
Nick Thomas
2013-08-09 03:11:15 +01:00
parent 1acaa03799
commit cfd1b2f957
11 changed files with 405 additions and 359 deletions
Download Patch File Download Diff File Expand all files Collapse all files

241
pass-1/packet.c
View File

@@ -33,24 +33,34 @@ unsigned short compute_checksum(unsigned short *addr, unsigned int count) {
}
void compute_ip_checksum(struct iphdr* pkt)
void compute_ip_checksum(struct iphdr *pkt)
{
pkt->check = 0x0000;
pkt->check = compute_checksum( (unsigned short*) pkt, pkt->ihl * 4 );
}
int wrap_ipv4_packet(struct rlocs* reg, struct recv_pkt* pkt, struct rsp_data* out)
int build_wrapped_ipv4_packet(struct rlocs *reg, struct rloc * s_rloc, struct rloc *d_rloc, struct packet *pkt, struct rsp_data *out)
{
out->count = 3;
assert( out->count < MAX_IOVS );
struct iphdr *wrap_hdr = (struct iphdr *) out->scratch;
uint16_t wrap_hdr_size = sizeof( struct iphdr );
unsigned char *scratch = &out->scratch[0];
ssize_t enc_size;
size_t orig_data_size = ntohs( pkt->hdr.ip.tot_len );
size_t bytes_to_encrypt = orig_data_size > 512 ? 512 : orig_data_size;
// iovec 0: wrapping header
struct iphdr* wrap_hdr = (struct iphdr*) scratch;
unsigned int wrap_hdr_size = sizeof( struct iphdr );
scratch += wrap_hdr_size;
debug( "Wrapping an IPv4 packet" );
debug( "wrap_hdr_size: %u, orig_data_size: %zu, bytes_to_encrypt: %zu", wrap_hdr_size, orig_data_size, bytes_to_encrypt );
// Areas in scratch we'll be using later
// We use two bytes to store the size of the encrypted blob
uint16_t *pkt_enc_size = (uint16_t *) (out->scratch + wrap_hdr_size );
unsigned char * pkt_enc_data = out->scratch + wrap_hdr_size + 2;
// Keep track of the total size of the data in out as we go
uint16_t out_len = 0;
out->count = 0;
memset( wrap_hdr, 0, wrap_hdr_size );
@@ -58,96 +68,171 @@ int wrap_ipv4_packet(struct rlocs* reg, struct recv_pkt* pkt, struct rsp_data* o
wrap_hdr->ihl = wrap_hdr_size / 4;
wrap_hdr->ttl = IPDEFTTL;
wrap_hdr->protocol = IPPROTO_HIDE_EID;
wrap_hdr->frag_off = htons( 0x4000 ); // DF bit set
wrap_hdr->frag_off = htons( IP_DF ); // DF bit set
wrap_hdr->saddr = s_rloc->addr.ip4.s_addr;
wrap_hdr->daddr = d_rloc->addr.ip4.s_addr;
// FIXME: Do we need to set an ID ?
// iovec 0: encapsulating IP header.
out->iovs[0].iov_base = wrap_hdr;
out->iovs[0].iov_len = wrap_hdr_size;
out_len += wrap_hdr_size;
out->count++;
// TODO: id, still needs filling now.
// We need to know source and destination rlocs to construct the packet
struct rloc* s_rloc;
struct rloc* d_rloc;
struct in_addr tmp;
tmp.s_addr = pkt->hdr.ip.saddr;
if ( ( s_rloc = rloc_find_for_ipv4( reg, &tmp ) ) == NULL ) {
warn( "Couldn't find source rloc, dropping packet" );
// TODO: fallback behaviour here?
return 0;
}
tmp.s_addr = pkt->hdr.ip.daddr;
if ( ( d_rloc = rloc_find_for_ipv4( reg, &tmp ) ) == NULL ) {
warn( "Couldn't find destination rloc, dropping packet" );
// TODO: fallback behaviour here?
return 0;
}
wrap_hdr->saddr = s_rloc->addr.ip4.s_addr;
wrap_hdr->daddr = d_rloc->addr.ip4.s_addr;
// iovec 1: encrypted part.
// FIXME: Need to inspect the protocol field and gobble up the TCP/UDP/etc
// header as well, for decent anonymity. TCP/UDP ports are an obvious way
// to perform a correlation attack.
// RSA pubkey encryption with 4096-bit keys gobbles up at least 512 bytes
// of space, so we make sure to use it.
ssize_t enc_size;
size_t orig_data_size = ntohs( pkt->hdr.ip.tot_len );
size_t bytes_to_encrypt;
if ( orig_data_size > 512 ) {
bytes_to_encrypt = 512; // No point wasting bytes on padding
} else {
bytes_to_encrypt = orig_data_size;
}
off_t enc_max_len = IP_MAXPACKET - wrap_hdr_size - orig_data_size - bytes_to_encrypt;
// We use two bytes to store the size of the encrypted blob
unsigned short *pkt_enc_size = (unsigned short *) scratch;
scratch += 2;
// Encrypt the first 512 or so bytes of the data. FIXME: introspect and
// calculate exactly how many bytes for TCP, UDP, etc. to do as little work
// as we can get away with, here. fragments > 0 don't need encrypting at all
enc_size = rlocs_encrypt(
reg, s_rloc, d_rloc,
(unsigned char *)&pkt->hdr, bytes_to_encrypt, scratch, enc_max_len - 2
(unsigned char *)&pkt->hdr, bytes_to_encrypt,
pkt_enc_data, IP_MAXPACKET - wrap_hdr_size - 2
);
if ( enc_size < 0 ) {
warn( "failed to encrypt, dropping packet" );
debug( "Failed to encrypt, dropping packet" );
return 0;
}
debug( "enc_size: %li", enc_size );
*pkt_enc_size = htons( enc_size );
enc_size += 2;
scratch = (unsigned char*) pkt_enc_size;
warn( "Encrypted size: 2 + %zu", enc_size - 2);
// iovec 1: encrypted portion of encpasulated packet
out->iovs[1].iov_base = pkt_enc_size;
out->iovs[1].iov_len = enc_size + 2;
out_len += enc_size + 2;
out->count++;
out->iovs[1].iov_base = scratch;
out->iovs[1].iov_len = enc_size;
scratch += enc_size;
debug( "iovs[0]: %p, %zu", out->iovs[0].iov_base, out->iovs[0].iov_len );
debug( "iovs[1]: %p, %zu", out->iovs[1].iov_base, out->iovs[1].iov_len );
// iovec 2: unencrypted remains
if ( bytes_to_encrypt == orig_data_size ) {
out->count = 2;
out->iovs[2].iov_base = NULL;
out->iovs[2].iov_len = 0;
} else {
out->iovs[2].iov_base = (char *) pkt + bytes_to_encrypt;
out->iovs[2].iov_len = ntohs( pkt->hdr.ip.tot_len ) - bytes_to_encrypt;
// iovec 2: unencrypted remains of encapsulated packet, if present
if ( bytes_to_encrypt < orig_data_size ) {
out->iovs[2].iov_base = ((char *) pkt) + bytes_to_encrypt;
out->iovs[2].iov_len = orig_data_size - bytes_to_encrypt;
out_len += orig_data_size - bytes_to_encrypt;
out->count++;
debug( "iovs[2]: %p, %zu", out->iovs[2].iov_base, out->iovs[2].iov_len );
}
wrap_hdr->tot_len = htons( wrap_hdr_size + enc_size + out->iovs[2].iov_len );
wrap_hdr->tot_len = htons( out_len );
compute_ip_checksum( wrap_hdr );
info( "Finished wrapping IPv4 packet" );
debug( "Finished wrapping IPv4 packet" );
return 1;
}
int wrap_ipv6_packet(struct rlocs *reg, struct recv_pkt* pkt, struct rsp_data* out)
void build_icmp_too_big( uint16_t max_mtu, struct in_addr *rloc_src, struct packet *pkt, struct rsp_data *out )
{
struct iphdr *ip = (struct iphdr*) out->scratch;
struct icmphdr *icmp = (struct icmphdr *) ( out->scratch + sizeof( struct iphdr ) );
uint16_t icmp_size = sizeof( struct icmphdr ) + ( pkt->hdr.ip.ihl * 4 ) + 8;
debug( "Building ICMP Too Big packet" );
memset( out->scratch, 0, sizeof( struct iphdr ) + sizeof( struct icmphdr ) );
ip->version = 4;
ip->ihl = sizeof( struct iphdr ) / 4;
ip->ttl = IPDEFTTL;
ip->protocol = IPPROTO_ICMP;
ip->saddr = rloc_src->s_addr;
ip->daddr = pkt->hdr.ip.saddr;
icmp->type = ICMP_DEST_UNREACH;
icmp->code = ICMP_FRAG_NEEDED;
icmp->un.frag.mtu = htons( max_mtu );
out->iovs[0].iov_base = out->scratch;
out->iovs[0].iov_len = sizeof( struct iphdr ) + icmp_size;
memcpy( ((char *)icmp) + sizeof( struct icmphdr ), pkt, icmp_size - sizeof( struct icmphdr ) );
//out->iovs[1].iov_base = pkt;
//out->iovs[1].iov_len = ( pkt->hdr.ip.ihl * 4 ) + 8;
ip->tot_len = htons( out->iovs[0].iov_len );
icmp->checksum = compute_checksum( (unsigned short *)icmp, icmp_size );
compute_ip_checksum( ip );
out->count = 1;
return;
}
int wrap_ipv4_packet( struct rlocs *reg, struct packet *pkt, struct rsp_data *frag1, struct rsp_data *frag2 )
{
struct rloc *s_rloc, *d_rloc;
if ( ( s_rloc = rloc_find_for_ipv4( reg, (struct in_addr *)&pkt->hdr.ip.saddr ) ) == NULL ) {
debug( "Couldn't find source RLOC for (TODO), dropping packet" );
return 0;
}
if ( ( d_rloc = rloc_find_for_ipv4( reg, (struct in_addr *)&pkt->hdr.ip.daddr ) ) == NULL ) {
debug( "Couldn't find destination RLOC for (TODO), dropping packet" );
return 0;
}
uint16_t max_size = rlocs_get_path_mtu( reg, s_rloc, d_rloc );
uint16_t pkt_tot_len = ntohs( pkt->hdr.ip.tot_len );
uint16_t pkt_hdr_len = pkt->hdr.ip.ihl * 4;
int num_packets = 1;
// fragmentation is needed.
if ( pkt_tot_len > max_size - WRAP_OVERHEAD ) {
debug( "Packet needs fragmenting" );
// DF bit set, so return ICMP Too Big
if ( ntohs( pkt->hdr.ip.frag_off ) & IP_DF ) {
build_icmp_too_big( max_size, &s_rloc->addr.ip4, pkt, frag1 );
return 1;
}
num_packets = 2;
// good enough, it's getting encrypted and only needs to be unique for
// a short period of time
uint16_t frag_id = (uint16_t) rand();
// Must be an 8-byte offset
uint16_t frag_off = ( pkt_tot_len - pkt_hdr_len ) / 2;
frag_off += frag_off%8;
uint16_t frag2_size = pkt_tot_len - pkt_hdr_len - frag_off;
if ( pkt_hdr_len > sizeof( struct iphdr ) ) {
warn( "FIXME: options specified with IP header are not handled correctly during fragmentation yet" );
}
// wrap_ipv4_packet only touches scratch upto IP_MAXPACKET. We allocate
// double that.
struct packet *pkt2 = (struct packet *) frag2->scratch + IP_MAXPACKET;
pkt->hdr.ip.tot_len = htons( pkt_hdr_len + frag_off );
pkt->hdr.ip.id = htons( frag_id );
pkt->hdr.ip.frag_off = htons( 0 | IP_MF );
memcpy( pkt2, pkt, pkt_hdr_len );
pkt2->hdr.ip.tot_len = htons( pkt_tot_len - frag_off );
pkt2->hdr.ip.frag_off = htons( frag_off / 8 );
memcpy( ((char *)pkt2) + pkt_hdr_len, ((char*)pkt)+pkt_hdr_len, frag2_size );
if ( !build_wrapped_ipv4_packet( reg, s_rloc, d_rloc, pkt2, frag2 ) ) {
debug( "Couldn't wrap packet 2 of 2 ");
return 0;
}
}
if ( !build_wrapped_ipv4_packet( reg, s_rloc, d_rloc, pkt, frag1 ) ) {
debug( "Couldn't wrap packet 1 of %i", num_packets );
return 0;
}
return num_packets;
}
int wrap_ipv6_packet(struct rlocs *reg, struct packet *pkt, struct rsp_data *out)
{
warn( "STUB: wrap_ipv6_packet" );
return 0;
@@ -155,7 +240,7 @@ int wrap_ipv6_packet(struct rlocs *reg, struct recv_pkt* pkt, struct rsp_data* o
int unwrap_ipv4_packet(struct rlocs* reg, struct recv_pkt* pkt, struct rsp_data* out)
int unwrap_ipv4_packet(struct rlocs* reg, struct packet *pkt, struct rsp_data *out)
{
out->count = 2;
assert( out->count < MAX_IOVS );
@@ -222,7 +307,7 @@ int unwrap_ipv4_packet(struct rlocs* reg, struct recv_pkt* pkt, struct rsp_data*
return 1;
}
int unwrap_ipv6_packet(struct rlocs *reg, struct recv_pkt* pkt, struct rsp_data* out)
int unwrap_ipv6_packet(struct rlocs *reg, struct packet *pkt, struct rsp_data *out)
{
warn( "STUB: unwrap_ipv6_packet" );